I have a question for anyone who might know the answer. My boss has asked me to PCAP a SIP stream from a VOIP phone by plugging my laptop into the same unmanaged switch, without enabling port mirroring on the phone. Even in promiscuous mode, I believe you will only get the broadcast frames. He claims to do this all the time on his Mac. I figured that he is using a hub but he claims to be using a PoE unmanaged switch. Does anyone have an idea as to how or if this can be done?
2 Answers
Given the situation described, you are correct that you will not capture a useful amount of SIP traffic since it will not be destined for your laptop (unless you spoof the IP address of the SIP gateway). An unmanaged switch without port mirror capabilities will not deliver network frames to the 'wrong' port to allow a capture unless the switch is seriously malfunctioning. The boss is likely using a hub or has some other design in use that allowed the capture to produce useful data.
To get an effective capture of the SIP traffic, you need to do so on the phone itself (an option in the phone features?), via a mirrored switch port (copying traffic from the port the phone is connected to) or at a gateway device the traffic will pass through, or at the SIP server/gateway device where the SIP traffic is destined.
-
That's exactly what I was thinking, Ive been able to capture whole streams by enabling port mirroring on the phone and plugging into the switch on the phone. Thank you for the response! Commented Feb 7 at 17:54
PCAP a SIP stream from a VOIP phone by plugging my laptop into the same unmanaged switch
With an unmanaged switch or a managed one without port mirroring/SPAN you'll see only very little broadcast traffic. Relevant traffic is unicast and only visible on the involved switch ports.
without enabling port mirroring on the phone.
Port mirroring on the IP phone is only relevant for the integrated switch, ie. the loop-though LAN port.
Even in promiscuous mode, I believe you will only get the broadcast frames.
That is correct. Promiscuous mode on the monitoring NIC is a prerequisite to receive frames with non-local destination addresses but these frames would need to reach the NIC first, hence the need to configure monitoring/mirroring.
I figured that he is using a hub
That is possible since repeater hubs make all traffic visible on all ports. However, hubs have all but vanished from professional use. The latest models must be more than 20 years old.
Options for monitoring traffic:
- use a hub between (unmanaged) switch port, phone and monitoring NIC
- use a managed switch with port mirroring between (unmanaged) switch port, phone and monitoring NIC
- configure the phone's loop-through port for mirroring and connect the NIC there
-
-
@DylanGray Please don't forget to eventually accept an answer. (And you may vote for any useful ones, too.)– Zac67 ♦Commented Feb 7 at 18:04